Warning: Hackers Are Using SSH Tunnels to Send Spam

I spend a lot of time investigating spam incidents for customers. Typically, hackers use a few common techniques to send their spam. The most common issues I see are:

Web application exploits.

Contact form exploits.

Compromised user password

With these exploits, you can spot them as they leave clear evidence in the logs. In the case of PHP, you can enable PHP mail logging and quickly find the script sending the spam. This makes stopping these types of attacks easy.

So here’s what I did:

What just happened?

The ssh command tunneled port 25 on the localhost back to my system on port 2000.

I can now send email through the remote host by connecting locally on port 2000.

The attackers used this technique to inject 10,000’s of emails into the server.

This is a clever approach. Unlike other attacks, this method leaves few clues.

With some sleuthing, however, you can catch this attack. You can even prevent it with a simple change to SSH.

Sending Spam with SSH Tunnels

I don’t want to be alarmist, so I want to make it clear:

This SSH spam method requires access to a user account.

In this incident, the attacker had compromised a user account due to a poor quality password.

This is essentially a password compromise, but unlike most attacks, the attackers used a SSH tunnel. The tunnel made it more difficult to detect and block the exploit.

Here’s a breakdown of how the technique works.

TCP Tunnel to SMTP

SSH, by default, permits TCP port forwarding. The attackers were using this feature to forward the SMTP port over SSH back to their local system.

Using an SSH tunnel, you can forward a remote port 25 connection back to your local system and use it to send email without authentication.

As you can see in the diagram, The attackers connects to your server over SSH using a compromised user account. Then, they setup a SSH tunnel to forward port 25 back to their system. They can then connect locally to port 2000 (or any port they select) to send spam. Since most servers trust SMTP connections on localhost, no authentication is required.

With this tunnel in place, they attacker can now send spam via the SSH tunnel.

SMTP AUTH & Localhost

In most spam cases involving exploited password, attackers connect directly to the mail server. As a result, your mail logs will be filled with SMTP authentication attempts – often from many IP addresses. This makes it easy to identify the compromised account.

With the SSH tunnel technique, SMTP authentication is not required. As a result, there’s remarkably little evidence in the logs of an attack.

The only indication of a problem is a high volume of bounces or email being sent via localhost.

The attack works because most servers implicitly trust email from localhost. For email sent via a localhost host connection to the SMTP server, SMTP AUTH is not required.

Without SMTP authentication, there is no log evidence to identify the compromised account. You just see a lot of email coming from localhost.

Investigating SSH Tunnel Attacks

There are two clues I found with this attack

Email logs showing SMTP connections from localhost

Netstat showing SSH connecting to SMTP

Email from Localhost

In most attacks, either attackers either use a web application exploit or compromised user account. These methods produce distinct signatures in the mail logs.

In the case of web application attacks, you can often correlate web logs to email logs to find the site or use PHP mail logging to identify the offending scripts.

For compromised user accounts, SMTP authentication logs will quickly reveal the problem. You will see 100’s of authentications, typically from different IP addresses. Just change the user’s password and your done.